pwn2own-150x150

Pwn2Own is a computer hacking contest held annually at the CanSecWest security conference and began in 2007.  Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities.

For 2012 the rules were changed to a capture-the-flag style competition with a point system.  Google withdrew from sponsorship of the event because the 2012 rules did not require full disclosure of exploits from winners.

When Pwn2Own 2012 concluded we saw Chrome, Internet Explorer, and Firefox all being compromised Apple’s Safari was the only browser to be left standing.  This was the first year Chrome got hacked it’s been untouchable up till this year.

The list of exploits we saw used and executed were

CVE-2010-3346 (Internet Explorer)

CVE-2009-3077 (Firefox)

CVE-2011-0115 (Safari)

CVE-2010-0050 (Safari)

CVE-2010-0248 (Internet Explorer)

CVE-2010-2752 (Firefox)

There was another pwn2own this year the Zero Day Initiative (ZDI) sponsored by RIM and AT&T is taking place in Amsterdam.  Where hackers were asked to compromise 4 devices

  • BlackBerry Bold 9930
  • Samsung Galaxy SIII
  • Nokia Lumia 900
  • Apple iPhone 4S

Using exploits of

  • Mobile Web Browsers
  • Near Field Communication (NFC)
  • Short Message Service (SMS)
  • Cellular Baseband

What we learned from this information is the iPhone 5 is vulnerable to the same attack that successfully breached an iPhone 4S at the mobile Pwn2Own hacker contest.  A fully patched iPhone 4S device was compromised and contacts, browsing history, photos and videos were stolen from the phone.

The iPhone took an epic hit when an exploit was built for the vulnerability in WebKit to beat Apple’s code-signing features and the MobileSafari sandbox. The same bug is present in the iOS6 Golden Master development code base, which means iPhone 5 is also vulnerable to the same exploit. Apple iPads and iPod Touch devices are also vulnerable.

The Samsung Galaxy S3 can be hacked via NFC allowing attackers to download all data from the Android smartphone.  Using a pair of zero day vulnerabilities the Samsung Galaxy S3 phone running Android 4.0.4 got exploit via NFC (Near Field Communications).

NFC is a technology that allows data to be sent over very short distances. For mobile devices, the protocol allows digital wallet applications to transfer money to pay at the register. While the technology has been slow to take off, despite the adoption by Google for its Wallet payment application, a number of recent high-profile announcements have boosted its adoption.

Through NFC it was possible to upload a malicious file to the device which allowed you to gain code execution on the device and subsequently get full control over the device using a second vulnerability for privilege escalation.  The same vulnerability could also be exploited through other attack vectors, such as malicious websites or e-mail attachments.

These pwn2own competitions are great because it allows venders and security researches to get a good feel for exploits and patch vulnerabilities before they become a big problem.